Any of the below can be specified multiple times on the command line (-r included) and in addition to other Snort command line options. Note, however, that specifying -pcap-reset and -pcap-show multiple times has the same effect as specifying them once.
| Option | Description |
|---|---|
| -r <file> | Read a single pcap. |
| -pcap-single=<file> | Same as -r. Added for completeness. |
| -pcap-file=<file> | File that contains a list of pcaps to read. Can specify path to pcap or directory to recurse to get pcaps. |
| -pcap-list="<list>" | A space separated list of pcaps to read. |
| -pcap-dir=<dir> | A directory to recurse to look for pcaps. Sorted in ASCII order. |
| -pcap-filter=<filter> | Shell style filter to apply when getting pcaps from file or directory. This filter will apply to any -pcap-file or -pcap-dir arguments following. Use -pcap-no-filter to delete filter for following -pcap-file or -pcap-dir arguments or specify -pcap-filter again to forget previous filter and to apply to following -pcap-file or -pcap-dir arguments. |
| -pcap-no-filter | Reset to use no filter when getting pcaps from file or directory. |
| -pcap-reset | If reading multiple pcaps, reset snort to post-configuration state before reading next pcap. The default, i.e. without this option, is not to reset state. |
| -pcap-show | Print a line saying what pcap is currently being read. |